The nature and structure of information stored in a digital format (e.g. computer software, multimedia information, etc.) allows it to be copied and distributed easily over a wide variety of mediums, including modems, wireless technologies, CD-ROMs, floppy disks, the Internet, bulletin boards, computer networks, etc. This attribute makes digital information difficult to protect.
One prior art solution for protecting, yet widely disseminating, digital information is to allow free distribution of the information in encrypted form. An example of such a system is disclosed in Mori, R., "Superdistribution: The Concept and Architecture", Transaction of the Institute of Electronics, Information and Communications Engineers, vol. E73, no. 7, pp. 1133-46, July 1990 (Japan).
In systems such as that taught by Mori, the storage of digital information in an encrypted format allows any user to obtain a copy of the information for free, or for a small fee that covers the cost of the associated storage medium.
After previewing a deliberately unencrypted sample of the information, if the user actually wants to use the full set of information (e.g. to view data, play a game, use an application program, etc.) the user can do so by paying a fee. After the fee is paid, (usually electronically by use of a credit card), the user receives a decryption key which allows decryption and use of the digital information.
In prior art systems of the foregoing type, the encrypted data is typically encrypted on a file by file basis. That is, a whole file of data is encrypted as a unit. Such an approach, however, has various drawbacks. For example, the whole file of data must be decrypted before any of the information can be used, even if only a small portion of the information is needed. This wastes computational time and computer resources.
Within the field of data encryption/decryption generally, there are prior art "secure" file systems which have the capability to perform encryption/decryption operations transparently to the user, as data is written to/read from a storage medium. A number of such systems are disclosed in the cited references.
These secure file systems, too, have various drawbacks. For example, there is little flexibility as to the encryption method, encryption pattern, or decryption key type to be used. Accordingly, the information must be encrypted with a method, pattern and key type that are already known to the file system. Further, the operating system must provide a set of especially adapted application programs to handle encrypted information. Existing programs must be extensively revised to make use of the additional application programs before they can be run using the secure file system.
In accordance with a preferred embodiment of the present invention, the foregoing and other problems of the prior art are overcome. In the preferred embodiment, data is encrypted on a per-sector basis. Some portion of a sector comprising a file can be left unencrypted, speeding access since less decryption is required. Different files can utilize different encryption depth techniques, increasing protection against unauthorized decryption.
Decryption is accomplished with a layered set of operating system software that operates in conjunction with specialized APIs. Application programs are provided unencrypted data using conventional APIs, by issuing calls to the specialized APIs which identify the encrypted files and the form of encryption used. Internal interfaces, invisible to the APIs, intercept normal processing calls (e.g READS) and direct them to internal decryption software that returns decrypted data back to the APIs.
The foregoing and other features and advantages of the preferred embodiment of the present invention will be more readily apparent from the following detailed description, which proceeds with reference to the accompanying drawings.